ADMIN: quick note about the list

2008-06-05 Thread Perry E. Metzger

A quick note from your moderator:

A few people have asked about this recently so I thought I'd explain.

The list server blocks posts from people who are not list subscribers.
This is done at the incoming SMTP server, during the SMTP dialog,
based on envelope sender.

I do things this way because the list gets about one spam attempt
every two minutes (though on bad days it can be much more). Many of
those would be blocked by other means, but a few hundred hundred a day
would still get through. I could not possibly process this many
postings by hand.

Every once in a while, someone asks "do you have a way to let me post
from an email address that is not subscribed", and the answer is yes,
I do. The code that checks who is allowed to send to the list checks
both the normal subscribers and a special "post only" list. If it is
important for you to be able to post from an address you are not
subscribed on, contact me privately and appropriate arrangements will
be made.


Perry

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


ADMIN: list downtime

2008-06-05 Thread Perry E. Metzger

The list will be experiencing some delays later today while the server
managing it gets some needed maintenance. It should be down for a few
hours at most.

Perry

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: the joy of "enhanced" certs

2008-06-05 Thread Stefan Kelm
There's a nice short paper by Swiss Company keyon entitled
"Faking EV SSL in IE7":



Cheers,

Stefan.

-
Security Awareness Symposium 17.-18.06.2008 KA/Ettlingen
http://www.security-awareness-symposium.de/
-
Stefan Kelm
Security Consultant

Secorvo Security Consulting GmbH
Ettlinger Strasse 12-14, D-76137 Karlsruhe
Tel. +49 721 255171-304, Fax +49 721 255171-100
[EMAIL PROTECTED], http://www.secorvo.de/
PGP: 87AE E858 CCBC C3A2 E633 D139 B0D9 212B

Mannheim HRB 108319, Geschaeftsfuehrer: Dirk Fox

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: the joy of "enhanced" certs

2008-06-05 Thread Peter Gutmann
"Perry E. Metzger" <[EMAIL PROTECTED]> writes:

>An object lesson in this just fell in my lap -- I just got my first email
>from a spammer that links to a web site that uses such a cert, certified by a
>CA I've never heard of ("Starfield Technologies, Inc.") Doubtless they sell
>discount "Enhanced Security" certs so you don't have to worry about paying
>more money either. I haven't checked the website for drive by malware, but I
>wouldn't be shocked if it was there.

There's another data source that's examined the effect of EV certs and browser
blacklists on a much larger scale, namely the APWG statistics.  They show an
essentially flat distribution for phishing from January 2007 to January 2008,
the period of phase-in of EV certs and the browser anti-phishing filters.  In
other words the attack stats show that the effect of EV certs was exactly as
expected.

(Hat tip to an APWG member who made this point during a conference talk
recently).

>I'm thinking of starting a CA that sells "super duper enhanced security"
>certs

So you could have EV certs, EEV certs, EEEV certs, V certs, a PKI
equivalent of the 'aptitude -v[v[v[v[v[v...] moo' trick.  Every couple of
years when people realise that the current level of (E^n)V certs work no
better than the (E^n-1)V certs that preceded them did, you add another 'E' and
everyone gets to pay again for a new set of certs.  The only potential problem
is that all the CAs would have to agree to add more E's in lock-step,
otherwise you'd get a tragedy-of-the-commons effect where the CA who adds the
most E's the quickest wins.

Peeeter.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: the joy of "enhanced" certs

2008-06-05 Thread John Levine
>An object lesson in this just fell in my lap -- I just got my first
>email from a spammer that links to a web site that uses such a cert,
>certified by a CA I've never heard of ("Starfield Technologies, Inc.")

Oh, you've heard of them, just not under that name.  It's GoDaddy.

The green bar certs cost $500 for one year, $800 for two years, which
make them way more expensive than the $25 normal ones, but still
impressively cheap considering the claims made for them.

>To be really sure, we'll make them fax said document in on genuine
>company letterhead, since no one can forge letterhead.

Now, now, their verification process apparently involves checking that
the name of the organization you provide exists in the relevant
business registry, so when you're picking a fake name, be sure to do a
few wildcard lookups at the NYS DOS web site first.  They say their
process is so stringent it can take as long as FOUR HOURS to issue
your cert.  Wow!

You know, when I got my first ordinary SSL cert, it cost about $200
and I had to mail all sorts of paper documentation to Thawte in North
Carolina.  Does anyone know when issuers stopped bothering to verify
anything?

R's,
John



-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: the joy of "enhanced" certs

2008-06-05 Thread Chris Kuethe
On Wed, Jun 4, 2008 at 12:51 PM, Perry E. Metzger <[EMAIL PROTECTED]> wrote:
> An object lesson in this just fell in my lap -- I just got my first
> email from a spammer that links to a web site that uses such a cert,
> certified by a CA I've never heard of ("Starfield Technologies, Inc.")

starfield = godaddy.

see https://www.godaddy.com/gdshop/ssl/ssl.asp?app_hdr=&ci=12421 and
click on the fluffy little webtrust icons to get the reports.
https://cert.webtrust.org/ViewSeal?id=355

-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: the joy of "enhanced" certs

2008-06-05 Thread Allen

Perry E. Metzger wrote:

[snip]


I'm thinking of starting a CA that sells "super duper enhanced
security" certs, where we make the company being certified sign a
document in which they promise that they're absolutely trustworthy.
To be really sure, we'll make them fax said document in on genuine
company letterhead, since no one can forge letterhead.


ROTFLMGO!

But I've got one better for you. The domain name registrar that I 
have been using went out of business and the domain names were 
handed over to another registrar. In order to gain control of 
them again I have to:



1. Create a free login ID at www.eNomCentral.com (your domain will not be there 
just yet)

2. In order to verify domain ownership, please do one of the following:
a) send a copy of your photo ID matching the WHOIS record for the domain or
b) send a receipt reflecting past payment for the domain

3. Please send an email with your login ID, domain name and domain ownership 
verification to: [EMAIL PROTECTED]


When I asked how they wanted the ID they said a scan of a picture 
of me attached to the e-mail!


Photoshop anyone?

Best,

Allen

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: the joy of "enhanced" certs

2008-06-05 Thread Leichter, Jerry
On Wed, 4 Jun 2008, Perry E. Metzger wrote:
| As some of you know, one can now buy "Enhanced Security" certificates,
| and Firefox and other browsers will show the URL box at the top with a
| special distinctive color when such a cert is in use.
| 
| Many of us have long contended that such things are worthless and
| prove only that you can pay more money, not that you're somehow more
| trustworthy.
| 
| An object lesson in this just fell in my lap -- I just got my first
| email from a spammer that links to a web site that uses such a cert,
| certified by a CA I've never heard of ("Starfield Technologies, Inc.")
| Doubtless they sell discount "Enhanced Security" certs so you don't
| have to worry about paying more money either. I haven't checked the
| website for drive by malware, but I wouldn't be shocked if it was
| there.
| 
| I'm thinking of starting a CA that sells "super duper enhanced
| security" certs, where we make the company being certified sign a
| document in which they promise that they're absolutely trustworthy.
| To be really sure, we'll make them fax said document in on genuine
| company letterhead, since no one can forge letterhead.
This message, shortly after our discussion of trust, makes me think of
the applicability of an aspect liguistic theory, namely speech acts.
Speech acts are expressions that go beyond simply communication to
actually produce real-world effects.  The classic example:  If I say
"John and Sarah are married", that's a bit of communication; I've passed
along to listeners my belief in the state of the world.  When a
minister, in the right circumstances, says "John and Sarah are married",
those words actually create the reality:  They *are* now married.

There are many more subtle examples.  A standard example is that of
a promise:  To be effective as a speech act, the promise must be
made in a way that makes it clear that the promiser is undertaking
some obligation, and the promiser must indeed take on that obligation.
There's a whole cultural context involved here in what is needed for
an obligation to exist and what it actually means to be obligated.
(Ultimately, the theory gets pushed to the point where it breaks;
but we don't have to go that far.)

In human-to-human communication, we naturally understand and apply the
distinction between speech acts and purely communicative speech.  It's
not that we can't be fooled - a person who speaks with authority is
often taken to have it, which may allow him to create speech acts he
should not be able to - but this is relatively rare.

When exchanging data with a machine, the line between communication and
speech acts gets very blurry.  (You can think of this as the blurry line
between data and program.)  When I go into a store and ask for
information, I see myself and the salesman as engaging in pure
communication.  There are definite, well-understood ways - socially and
even legally defined steps - that identify when I've crossed over into
speech acts and have, for example, taken on an obligation to pay for
something.  When, on the other hand, I look at a Web site, things are
not at all clear.  From my point of view, the data coming to my screen
is purely communication to me.  From the computer's point of view, the
HTML is all "speech acts," causing the computer to take some actions.
My clicks are all "speech acts" to the server.  Problems arise when what
I see as pure communication is somehow transformed, without my consent
or even knowledge, into speech acts that implicate *me*, rather than my
computer.  This happens all too easily, exactly because the boundary
between me and my computer is so permeable, in a Web world.

Receiving an SSL cert, in the proper context (corresponds to the URL
I typed, signed by a trusted CA), is supposed to be a speech act to
me as a human being:  It's supposed to cause me to believe that I've
reached the site I meant to reach.  (My machine, of course, doesn't
care - it has no beliefs and has nothing at risk.)  The reason the model
is so appealing is that it maps to normal human discourse.  If my friend
tells me "I'll bring dinner," I don't cook something while waiting for
him to arrive.

Unfortunately, as we've discussed here many times, the analogy is
deeply, fundamentally flawed.  SSL certs don't really work like trusted
referals from friends, and the very familiarity of the transactions is
what makes them so dangerous:  It makes it too easy for us to treat
something as a speech act when we really shouldn't.

Enhanced security certs simply follow the same line of reasoning.  They
will ultimately prove just as hazardous.

Going back to promises as speech acts:  When a politician promises to
improve the economy, we've all come to recognize that, although that's
in the *from* of a promise, it doesn't actually create any obligation.
"Improving the economy" isn't something anyone can actually do - even if
we could agree on what it means.  Such a promise is simply a way of
saying "I think the 

Re: Code makers and breakers of WWII era

2008-06-05 Thread Ali, Saqib
Actually the correct URL is:
http://www.sscnet.ucla.edu/geog/gessler/collections/cryptology.htm

On Wed, Jun 4, 2008 at 1:59 PM, Ali, Saqib <[EMAIL PROTECTED]> wrote:
> Here is another site that has a lot more details and photographs:
> http://www.sscnet.ucla.edu/geog/gessler/collections/crypto-hebern.htm
>
> saqib
> http://doctrina.wordpress.com/
>

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]


Re: Code makers and breakers of WWII era

2008-06-05 Thread Ali, Saqib
Here is another site that has a lot more details and photographs:
http://www.sscnet.ucla.edu/geog/gessler/collections/crypto-hebern.htm

saqib
http://doctrina.wordpress.com/

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]